feat: Complete NestJS backend scaffold — 22 modules, 39 entities, WebSocket gateway

Full backend rewrite from Rust/Axum to NestJS/TypeScript.
- 22 feature modules (auth, servers, wipes, maps, plugins, players, console,
  chat, team, notifications, settings, schedules, analytics, alerts, status,
  store, webstore, admin, setup, migration, users, licenses)
- 39 TypeORM entities matching PostgreSQL schema (12 migrations)
- Common infrastructure: JWT/RBAC guards, decorators, exception filter
- NATS service with pub/sub/request-reply
- Socket.IO WebSocket gateway with NATS bridge
- Docker: NestJS Dockerfile + updated docker-compose.yml
- Zero compile errors (npx tsc --noEmit clean)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-nest/src/common/guards/permissions.guard.ts

@@ -0,0 +1,32 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { PERMISSION_KEY } from '../decorators/require-permission.decorator';
+
+@Injectable()
+export class PermissionsGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredPermission = this.reflector.getAllAndOverride<string>(
+      PERMISSION_KEY,
+      [context.getHandler(), context.getClass()],
+    );
+    if (!requiredPermission) return true;
+
+    const { user } = context.switchToHttp().getRequest();
+    if (!user) return false;
+
+    // Super admins bypass all permission checks
+    if (user.is_super_admin) return true;
+
+    // Check permissions JSONB from role
+    const permissions = user.permissions as Record<string, boolean> | undefined;
+    if (!permissions) return false;
+
+    // Support wildcard: "server.*" matches "server.view", "server.console", etc.
+    const parts = requiredPermission.split('.');
+    const wildcard = parts[0] + '.*';
+
+    return permissions[requiredPermission] === true || permissions[wildcard] === true;
+  }
+}